auditbeat.modules:

- module: auditd
  resolve_ids: true
  failure_mode: silent
  include_raw_message: false
  include_warnings: false
  backlog_limit: 8192
  rate_limit: 0
  audit_rules: |
{% for rules in auditbeat_audit_rules %}
    {{ rules }}
{% endfor %}

- module: file_integrity
  paths:
  - /bin
  - /usr/bin
  - /usr/local/bin
  - /sbin
  - /usr/sbin
  - /usr/local/sbin
  - /etc
  exclude_files:
  - '(?i)\.sw[nop]$'
  - '~$'
  - '/\.git($|/)'
  include_files: []
  recursive: true

- module: system
  datasets:
    - package
  period: 5m

- module: system
  datasets:
    - host
    - login
    - user  
  period: 1m

#- module: system
#  datasets:
#    - process
#    - socket
#  period: 10s

  state.period: 12h
  socket.include_localhost: false
  user.detect_password_changes: true
  login.wtmp_file_pattern: /var/log/wtmp*
  login.btmp_file_pattern: /var/log/btmp*

queue.mem:
  events: 32768

{% if beats_output_type == 'elasticsearch' %}
setup.template:
  json.enabled: true
  json.path: '/etc/auditbeat/auditbeat-template.json'
  json.name: 'auditbeat'
  overwrite: true
setup.ilm.enabled: false
setup.dashboards.enabled: true
setup.kibana:
  host: "{{ beats_kibana_host | list | random(seed=ansible_hostname) }}:{{ beats_kibana_port | default('5601') }}"
  protocol: "{% if beats_output_auth | bool and beats_output_https | bool %}https{% else %}http{% endif %}"
{% if beats_output_auth %}
  kibana.name: "{{ beats_output_user | default('elastic') }}"
  kibana.password: "{{ beats_output_pass | default('changeme') }}"
{% endif %}
  ssl:
    supported_protocols: [TLSv1.2]
    verification_mode: none
{% endif %}

output.{{ beats_output_type }}:
  bulk_max_size: 1000
{% if beats_output_type == 'elasticsearch' %}
  protocol: "{% if beats_output_auth | bool and beats_output_https | bool %}https{% else %}http{% endif %}"
{% if beats_output_auth %}
  username: "{{ beats_output_user | default('elastic') }}"
  password: "{{ beats_output_pass | default('changeme') }}"
{% endif %}
  ssl:
    supported_protocols: [TLSv1.2]
    verification_mode: none
{% endif %}
  hosts: ['{{ beats_output_host | list | join(":" + beats_output_port + "', '") }}:{{ beats_output_port }}']
  loadbalance: {% if beats_output_host | length > 1 %}true{% else %}false{% endif %}

fields_under_root: true
fields:
  enviornment: {{ environments | default("prd") | lower }}
  datacenter: {{ datacenter | default("") | lower }}
  domain: {{ domain | default("") | lower }}
  customer: {{ customer | default("Customer") | title | regex_replace("_", "-") }}
  project: {{ group_names[-1] | default("PROJECT") | title | regex_replace("_", "-") }}
  group: {{ group_names[0] | default("GROUP") | title | regex_replace("_", "-") }}
  source: {{ ansible_fqdn }}
{% if tags is defined %}
{% for key,value in tags.iteritems() %}
  {{ key }}: {{ value }}
{% endfor %}
{% endif %}

processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~

logging.level: error
logging.to_syslog: true

http:
  enabled: true
  host: localhost
  port: {{ beats_port_arg.http }}
